12.10.8. Configuring mail security rules

You configure mail security rules at the security-policy mail-security level. For more details on the command structure, see Configuring Rules Using UPL.

You need to specify the following:

Parameter

Description

PASS

WARNING

DENY("with error")

DENY

Action for the mail security rule:

  • PASS: pass the traffic unchanged.

  • WARNING: mark email messages with a special tag in the subject line or additional field.

  • DENY("with error"): block the email and report an error in mail delivery to the SMTP server (for SMTP(S) traffic) or the client (for POP3(S) traffic).

  • DENY: drop without error: block the mail without reporting that it has been blocked.

enabled

Enable/disable a rule:

  • enabled(yes) or enabled(true).

  • enabled(no) or enabled(false).

name

Name for the mail security rule.

Example: name("Mail security rule example").

desc

A description of the rule.

Example: desc("Mail security rule example configured in CLI").

antispam_usergate

Apply UserGate antispam check to mail traffic (it can be set for rules that use the following actions: Mark, Drop with error or Drop without error):

  • antispam_usergate(yes) or antispam_usergate(true): enable checking.

  • antispam_usergate(no) or antispam_usergate(false): disable checking.

dnsbl

Antispam check using the DNSBL technology. This applies only to SMTP traffic in rules that use the following actions: Mark, Drop with error or Drop without error:

  • dnsbl(yes) or dnsbl(true): enable antispam checking.

  • dnsbl(no) or dnsbl(false): disable antispam checking.

When email traffic is checked using DNSBL, the IP address of the spam sender's SMTP server is blocked when the SMTP connection is created, thus helping to substantially decrease the load on other methods of checking email for spam and viruses.

mark_hdr

Header. Field where the mark tag should be inserted. Specify it for rules with the Mark action: mark_hdr(Subject).

mark

Text of the tag to mark the email; specified for rules with the Mark action, e.g. mark("Text for marking emails").

src.zone

Traffic source zone.

To specify a source zone, such as Trusted: src.zone = Trusted.

For more details about configuring zones using the CLI, see Zones.

src.ip

Add source IP address or domain lists.

Example for IP addresses: src.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses.

Example for domains: src.ip = lib.url(). Specify the URL to which necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists.

src.geoip

Source GeoIP. Specify a country code (for example, src.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.

user

Users and user groups for which the mail security rule applies (local or LDAP).

To add LDAP groups and users, you need to have a correctly configured LDAP connector (for more information about configuring LDAP connectors via the CLI, see Configuring LDAP connectors).

The following line describes how to add a local user (local_user) and group (Local Group), a user (example.local\AD_user), and an LDAP group (AD group):

user = (local_user, "CN=Local Group, DC=LOCAL", "example.loc\\AD_user", "CN=AD group, OU=Example, DC= example, DC=loc")

The Active Directory domain example.loc has been already configured. When adding LDAP users and groups, you can specify a list of paths on the server, starting from which the system will search for users and groups.

dst.zone

Traffic destination zone, e.g. dst.zone = Untrusted.

For more details about configuring zones using the CLI, see Zones.

dst.ip

Add lists of destination IP addresses or domains.

To specify an IP address list: dst.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses.

To specify a domain list: dst.ip = lib.url(). Specify the URL to which the necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists.

dst.geoip

Destination GeoIP. Specify a country code (for example, dst.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.

service

The email protocol (POP3 or SMTP), to which this rule will be applied.

To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...).

envelope_from

Sender's email address (for SMTP protocol only). Specify email groups in the following format: envelope_from = "Sender email group".

For more details about creating and configuring email groups, see Configuring email addresses.

envelop_to

Recipient's email address (for SMTP protocol only). Specify an email group in the following format: envelope_to = "Receiver email group".

For more details about creating and configuring email groups, see Configuring email addresses.